The present invention relates to security systems for controlling access to computer systems and networks, and more particularly, to techniques for protecting password-based security systems.
Unauthorized disclosure of private information, identity theft, and financial damages are often the result of users unknowingly providing sensitive information to un-trusted or malicious applications. Users are, through increasingly elaborate methods, fooled to believe that the application to which they are providing the sensitive information is trustworthy. There are several reasons for the success rate of these attacks, such as the users' willingness to accept applications as trustworthy for convenience, the level of sophistication of the attacks, among others.
“Phishing” is a well-known term for the fraudulent method of tricking end-users to divulge personal information to fraudster-controlled applications, through legitimate-looking requests that include instructions to contact some well-known service provider's application, when in reality the instructions will lead to a contact with an application under the fraudster's control. The intent of the fraud is to acquire sensitive information from the recipients of the requests by making them believe they have contacted a legitimate application. The sought-after information can be user credentials such as static passwords, account information, credit card information, etc. The term “Phishing” relates to the fraudulent method—i.e., the attacker is fishing for information, by sending out bait, for example an e-mail. The spelling follows in the tradition of earlier fraud schemes, in particular a computer telephony fraud—“Phone Phreaking,” that occurred in the 1970s and 1980s.
Phishing is an increasingly severe problem for application providers and end users, and a reason not only for identity theft but also loss of personal and corporate revenues, and in the extreme loss of confidence in the Internet as a viable media for personal financial transactions.
One prior art approach to dealing with phishing attacks is filtering, for which software on the user's computer detects requests for the user's password or other form data, and warns the user or prevents the user from providing the password to untrustworthy applications. However, this is only a partial solution, because it is often difficult for the user or the user's computer to determine whether an application is trustworthy, and users are often too willing to accept new applications as trustworthy just for convenience, even when they should know better. In effect, the user's computer needs to manage a “trust list,” and as is well known from public-key infrastructure (PKI) implementations, trust lists are especially challenging to manage.
Another prior art approach that one may consider for dealing with phishing attacks is to apply cryptography. However, cryptography has been shown to be insufficient. Server authentication with public-key cryptography, for instance by the SSL protocol, helps to ensure that the user's computer has a secure session and prevents eavesdropping, but the secure session may be with an untrustworthy application.
Mutual authentication with symmetric cryptography is another potential prior art approach for dealing with phishing attacks. This approach has proven to be somewhat better than the others described above, because the application requesting information also must demonstrate knowledge of a password, but such a system needs to be carefully designed. Challenge-response protocols based on a key derived from a password (e.g., MS-Chap [Zorn00]) are one approach, but are limited because typical passwords are not cryptographically strong, so a rogue server can potentially recover the password by trial-and-error. Zero-knowledge password protocols and password-authenticated key exchange protocols such as Encrypted Key Exchange (EKE, [Bel92]) and Simple Password-authenticated Exponential Key Exchange (SPEKE, [Jab96]) (which are two of a large number of examples) are better, but they still depend on some filtering of password requests. Otherwise a rogue server can just ask for passwords directly without running the protocol. Moreover, the protocol flows in both cases are different than the straightforward “username/password” exchange, and require more careful integration with common security protocols such as SSL and TLS.
In any case, static passwords are inherently risky, since if the protection does fail, and a password is intercepted, the user can be impersonated. The security is very “brittle” in this sense. Passwords should ideally be changed often; but it may be difficult to change a password securely if the user's computer is being “phished” regularly.
Hardware tokens (e.g., smart cards) and software tokens can also provide some protection to phishing attacks, but such tokens may require special interfaces to a user's computer, or local state. Hence, despite the availability of token-based solutions, password authentication still remains a predominant approach. Downloadable software tokens are increasingly common, but the user must first generally authenticate to a credential provider before downloading the software token—and this itself may be an avenue for a phishing attack.
One-time password devices are better than static passwords as they change automatically, and they are arguably more convenient than hardware and software tokens because they can be employed directly within the “username/password” paradigm, without new interfaces to the user's computer, or local state. However, they are still subject to “real-time” phishing, which is becoming increasingly common. In a real-time phishing attack, the attacker immediately presents the one-time password to the correct application in order to gain access to the user's account.
Moreover, since one-time password authentication is generally unilateral,—i.e., only the user's knowledge of the password is authenticated, not the application's knowledge—the user may well continue to interact with the attacker's application, providing sensitive information. The attacker's application does not even need to access the user's account in order to do this.
Cryptographic techniques can indeed provide mutual authentication; for instance the zero-knowledge protocols mentioned above, or the SHAKE ([Lar01]) protocol. But the latter may involve too many protocol messages to be practical, and both require careful integration with established security protocols. Moreover, both approaches are complicated by the fact that several one-time passwords may be valid at the same time. Either the protocol must be modified so that the server can “commit” to more than one password at a time, or else the user's computer and the server may need to run the protocol multiple times.